Skip to content

Proposal: Respect AWS_REGION Environment Variable in STS Region Resolution #7455

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Proposal: Respect AWS_REGION Environment Variable in STS Region Resolution #7455

wants to merge 1 commit into from
+12 −6

Conversation

@tkesk-n
Copy link

@tkesk-n tkesk-n commented Oct 24, 2025

Respect AWS_REGION Environment Variable in STS Region Resolution

Issue

Related to common issues with Kubernetes IRSA and container-based deployments where AWS_REGION environment variable is set but ignored by STS client.

Description

What This Implements

This PR updates the STS client's resolveRegion function to check AWS_REGION and AWS_DEFAULT_REGION environment variables before falling back to the hardcoded us-east-1 default region.

Files Modified:

  • Template file: codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts
  • Generated STS client: clients/client-sts/src/defaultStsRoleAssumers.ts
  • Nested clients: packages/nested-clients/src/submodules/sts/defaultStsRoleAssumers.ts

Current Behavior (Problem)

Currently, when the AWS SDK for JavaScript v3 makes STS API calls (e.g., AssumeRole, AssumeRoleWithWebIdentity), it uses the following region resolution priority:

  1. Explicitly passed region parameter
  2. parentRegion from parent client config
  3. Hardcoded us-east-1 ⬅️ Problem

This causes unexpected behavior when:

  • Users have AWS_REGION or AWS_DEFAULT_REGION environment variables set
  • Applications run in containerized environments (Kubernetes, ECS, etc.) with region configured via environment variables
  • IRSA (IAM Roles for Service Accounts) is used in Kubernetes/EKS

Real-World Impact

In Kubernetes environments using IRSA, pods typically have these environment variables set:

AWS_REGION=eu-central-1
AWS_DEFAULT_REGION=eu-central-1
AWS_ROLE_ARN=arn:aws:iam::123456789012:role/my-role
AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token

Despite having the correct region configured, STS requests unexpectedly go to us-east-1, causing:

  • Increased latency due to cross-region calls
  • Potential failures if STS regional endpoints are not enabled
  • Confusion about which region is being used
  • Inconsistent behavior compared to other AWS SDKs

New Behavior (Solution)

The updated resolveRegion function now checks environment variables:

const resolveRegion = async (
  _region: string | Provider<string> | undefined,
  _parentRegion: string | Provider<string> | undefined,
  credentialProviderLogger?: Logger
): Promise<string> => {
  const region: string | undefined = typeof _region === "function" ? await _region() : _region;
  const parentRegion: string | undefined = typeof _parentRegion === "function" ? await _parentRegion() : _parentRegion;
  const envRegion = process.env.AWS_REGION || process.env.AWS_DEFAULT_REGION;

  credentialProviderLogger?.debug?.(
    "@aws-sdk/client-sts::resolveRegion",
    "accepting first of:",
    `${region} (provider)`,
    `${parentRegion} (parent client)`,
    `${envRegion} (environment)`,
    `${ASSUME_ROLE_DEFAULT_REGION} (STS default)`
  );
  return region ?? parentRegion ?? envRegion ?? ASSUME_ROLE_DEFAULT_REGION;
};

New Region Resolution Priority:

  1. Explicitly passed region parameter (highest priority)
  2. parentRegion from parent client config
  3. AWS_REGION environment variable ⬅️ NEW
  4. AWS_DEFAULT_REGION environment variable ⬅️ NEW
  5. us-east-1 hardcoded default (lowest priority)

Why This Change is Important

1. Aligns with AWS Best Practices

  • The AWS CLI respects AWS_REGION and AWS_DEFAULT_REGION
  • Other AWS SDKs (Python boto3, Java, Go, .NET) all respect these environment variables
  • AWS Lambda, ECS, and other managed services set AWS_REGION automatically

2. Principle of Least Surprise

  • Developers expect environment variables to work consistently across all AWS tooling
  • When AWS_REGION is set but ignored, it creates confusion and debugging overhead

3. Container/Kubernetes Native

  • Modern cloud-native applications use environment variables for configuration
  • EKS IRSA, ECS tasks, and other container orchestration tools set these variables
  • Eliminates need for explicit region configuration in containerized environments

4. Consistency with Other SDK Components

  • fromTemporaryCredentials already uses env.AWS_REGION (see packages/credential-providers/src/fromTemporaryCredentials.ts)
  • Only the internal STS region resolution was missing this check

5. Prevents Unexpected Cross-Region Calls

  • Eliminates increased latency (100-300ms+)
  • Reduces cross-region data transfer costs
  • Prevents failures when regional STS endpoints aren't enabled

Backward Compatibility

This change is fully backward compatible:

✅ Existing code with explicit region configuration continues to work (highest priority)
✅ Parent client region configuration still works (second priority)
✅ Applications without any region configuration still get us-east-1 (lowest priority)
✅ No breaking changes to any public APIs
✅ Only adds a fallback layer before the hardcoded default

Testing

This change will be tested to verify:

  1. ✅ Explicit region parameter still takes highest priority
  2. ✅ Parent client region still works when no explicit region is provided
  3. AWS_REGION environment variable is respected when set
  4. AWS_DEFAULT_REGION is used as fallback if AWS_REGION is not set
  5. ✅ Falls back to us-east-1 when no region is configured anywhere
  6. ✅ Works correctly in Kubernetes IRSA scenarios
  7. ✅ Debug logging shows the correct resolution order

Test Plan

describe('STS Region Resolution', () => {
  it('should use explicit region parameter over environment', async () => {
    process.env.AWS_REGION = 'eu-west-1';
    const provider = fromNodeProviderChain({ clientConfig: { region: 'us-west-2' } });
    // Should use us-west-2 (explicit parameter takes priority)
  });

  it('should use AWS_REGION environment variable when no explicit region', async () => {
    process.env.AWS_REGION = 'eu-central-1';
    const provider = fromNodeProviderChain();
    // Should use eu-central-1 (from environment)
  });

  it('should fallback to AWS_DEFAULT_REGION when AWS_REGION not set', async () => {
    delete process.env.AWS_REGION;
    process.env.AWS_DEFAULT_REGION = 'ap-southeast-1';
    const provider = fromNodeProviderChain();
    // Should use ap-southeast-1 (fallback environment variable)
  });

  it('should fallback to us-east-1 when no region configured', async () => {
    delete process.env.AWS_REGION;
    delete process.env.AWS_DEFAULT_REGION;
    const provider = fromNodeProviderChain();
    // Should use us-east-1 (hardcoded default)
  });
});

Additional Context

Benefits Summary

Benefit Impact
Developer Experience Reduces configuration boilerplate, follows principle of least surprise
Performance Eliminates unnecessary cross-region STS calls, reduces latency
Compatibility Aligns with AWS CLI, other SDKs, and AWS best practices
Modern Architecture Works seamlessly with containers, Kubernetes, and cloud-native patterns
Backward Compatibility No breaking changes, existing code continues to work
Cost Reduces cross-region data transfer costs
Security Supports region-restricted compliance requirements

Related Use Cases

This change addresses common pain points:

  • Kubernetes IRSA users experiencing unexpected us-east-1 STS calls
  • Container-based applications where region is set via environment
  • Multi-region deployments where explicit configuration is impractical
  • Migration from AWS SDK v2 where environment variables worked differently

References

Checklist

  • If the PR is a feature, add integration tests (*.integ.spec.ts).
  • If you wrote E2E tests, are they resilient to concurrent I/O?
  • If adding new public functions, did you add the @public tag and enable doc generation on the package?

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@tkesk-n tkesk-n requested a review from a team as a code owner October 24, 2025 08:15
@tkesk-n tkesk-n changed the title # Proposal: Respect AWS_REGION Environment Variable in STS Region Resolution Proposal: Respect AWS_REGION Environment Variable in STS Region Resolution Oct 24, 2025
@kuhe
Copy link
Contributor

kuhe commented Oct 24, 2025

This use case is fixed by the change applied for #7452 which is in this version: https://github.com/aws/aws-sdk-js-v3/releases/tag/v3.917.0.

The cause is the fromTokenFile credential provider not passing through the contextual client region rather than what's described in this PR.

We cannot accept the change in the PR, but a similar change will be implemented by #7456.

@kuhe kuhe closed this Oct 24, 2025
@kuhe
Copy link
Contributor

kuhe commented Oct 25, 2025

There is a types compilation bug in v3.917.0, so the expected fix will be in v3.918.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tkesk-n @kuhe